Radius authentication

We're using Cisco ACS as a radius server which uses active directory to authenticate users. All ssh logins to the ASA authenticate to that radius server.

We also use that Radius server for VPN authentication...the problem I'm having is that since we have to enable the dial-in property in AD to allow people to VPN, they are also able to SSh into the firewall, although since we also use command authorization they are not able to actually do anything. The VPN users group in radius is seperate form the network managment users group...is there a property or anything I can set to disable users in the VPN Users group from being able to login to the firewall?

Re: Radius authentication

The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
view more

The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
view more

IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...
view more